The Department of Health and Human Services’ Office of Inspector General has published the findings of its 2017 fiscal review of HHS compliance with the Federal Information Security Modernization Act of 2014.

The FISMA compliance review revealed the HSS is continuing to make improvements to its information security program, although OIG identified several areas of weakness. The findings from the latest FISMA compliance review highlighted similar vulnerabilities and weaknesses to the review conducted for fiscal 2016.

A department-wide Continuous Diagnostics and Mitigation (CDM) program is being developed by the HHS which will allow it to monitor its networks, information systems, and personnel activity and information security programs have been strengthened since the review was last conducted. However, OIG identified several areas where improvements could be made. Weaknesses and vulnerabilities were found in HHS risk management, identity and access management, configuration management, security training, incident response, contingency planning and information security continuous monitoring.

There were several areas of concern in configuration management. At all four of the operational divisions (OPDIVs) there were instances of noncompliance with configuration management policies and procedures. OIG identified failures to ensure all software was up to date and patches were applied promptly and vulnerability scans using Security Content Automation Protocol (SCAP) tools were missed. OIG also found some operating systems in use that were not supported by the vendors. At some OPDIVs, configuration management personnel were not tracking the approvals, testing results, and migration dates within change management tracking tools.

Weaknesses were found in the detect function, the purpose of which is to develop and implement appropriate activities to identify the occurrence of cybersecurity events.

Training issues were identified with some OPDIVs having failed to train all staff, including new recruits. While the number of employees that had not been sufficiently trained was low, those individuals pose a considerable risk to the security of HHS systems and network. Two OPDIVs were not effectively tracking the security training status of personnel and contractors.

Risk management issues were identified at some of the operating divisions, with risk management policies and procedures not yet finalized. OIG also reports that some OPDIVs could not provide a list of all devices and software used on the network, and neither were they able to provide details of unauthorized software used on the network.

Issues with identity and access management included account management procedures not always being followed, including the monitoring and maintenance of shared accounts. There were failures to remove inactive accounts and enforce resets of active account passwords, and to disable accounts in a timely manner when employees were transferred or terminated.

The flaws and weaknesses identified in the report are common across the entire healthcare industry. The HHS’ Office for Civil Rights has fined HIPAA covered entities for similar flaws to those identified by OIG.

OIG has made several recommendations to the HSS to improve security, processes and procedures to further reduce risk and ensure compliance with FISMA. The HHS concurred with all of OIG’s recommendations and will work at implementing further controls and updating its policies and procedures accordingly.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.